Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Multiple Where Clause

itsmevic
Communicator
‎06-24-2020 01:05 PM

I'm running the below query across the network and would like it to pinpoint that search towards two users rather than run the search across the entire network and have hundreds of users.  When I use the "where" clause and enter in both users that I'd like to search under, nothing comes back.  The moment I remove the "where" clause, data comes back.  Should my where clause positioned elsewhere up the pipe?  Or is it just a matter of incorrect syntax?

| from datamodel:"Authenticate"
| eval host=upper(host)
| search [| inputlookup hosts_upper.csv]
| search user!=svc* NOT src_user IN (system, dbagent, svc*)
| search NOT signature_id IN (4769, 4672, 4648)
| eval "Logon Type" = case(Logon_Type == 2, "Interactive", Logon_Type == 3, "Network", Logon_Type == 4, "Batch",
Logon_Type == 5, "Service", Logon_Type == 7, "Unlock", Logon_Type == 8, "Clear Text",
Logon_Type == 9, "New Credentials", Logon_Type == 10, "Remote Interactive", Logon_Type == 11, "Cached Interactive")
| fillnull value=NULL "Unknown"
| table _time action host user src app Logon_Type "Logon Type" host signature sourcetype
| where user="johndoe" OR user="janesmith"
| sort -_time

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-24-2020 01:47 PM

It's best to put your where clause as far up the pipe as possible to improve performance.  Doing so will have no bearing on the results, however.

Your syntax looks fine, although I prefer to put parentheses around compound where clauses.

Are you sure you have the names correct?

Do you get the right results when you have just one user name in the where clause?

Here's an alternative where clause to try.

| where (match(user, "johndoe") OR match(user, "janesmith"))

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...